Generating Software Bill of Material for Vulnerability Management and License Compliance

dc.contributorAalto Universityen
dc.contributor.advisorKoskenheimo, Kirsi
dc.contributor.authorLin, Lu
dc.contributor.schoolPerustieteiden korkeakoulufi
dc.contributor.supervisorAura, Tuomas
dc.description.abstractAs the proportion of open source software in applications continues to rise, it has substantially improved the efficiency of development while posing challenges to software supply chain security. The relationship between dependencies is intricate. Direct dependencies can be obtained from the package manager; however, transitive dependencies should be identified through association. Tracking vulnerabilities in transitive dependencies and patching them becomes one of the challenges in DevSecOps. Currently, the industry employs software bill of materials (SBOM) for dependency tracking. SBOM integration into DevSecOps is difficult due to the absence of a unified standard and practical procedures. This thesis explores how to ensure the security and compliance of open source components in the software supply chain. The goal is to implement a Software Composition Analysis (SCA) system that will continuously monitor dependencies. We analyzed and compared existing SBOM generation tools and selected native CycloneDX plug-ins and libraries based on the accuracy of the results and the adaptability of the SBOM, which we then integrated with Dependency Track for vulnerability tracking. mBy communicating with the company's legal department, we clarified distinct compliance policies for each software in different application areas and put up rules in Dependency Track to automate the compliance process. As a result, we have developed a SCA system applicable to company research and development process. Through the CI/CD pipeline of the DevOps system, we were able to obtain the latest information regarding dependencies and their licenses in real time. The generated SBOMs were forwarded to the internal Dependency Track server, which facilitated tracking of vulnerabilities, auditing of licenses, and ensuring compliance. During this experiment, we found that SBOM is not immutable and that hackers can still avoid detection because integrity checks are not performed. Therefore, future study should put emphasis on SBOM integrity checking.en
dc.programmeMaster’s Programme in Computer, Communication and Information Sciencesfi
dc.programme.majorLu Linfi
dc.subject.keywordopen source softwareen
dc.subject.keywordsoftware composition analysisen
dc.subject.keywordvulnerability managementen
dc.subject.keywordlicense complianceen
dc.titleGenerating Software Bill of Material for Vulnerability Management and License Complianceen
dc.typeG2 Pro gradu, diplomityöfi
dc.type.ontasotMaster's thesisen